portainer-backup icon indicating copy to clipboard operation
portainer-backup copied to clipboard

Published 20 hours ago verified publisher icon SavageSoftware

Cannot connect to portainer server using https

Open WizBangCrash opened this issue 2 years ago • 6 comments

HI, I was hoping to use your create little utility to run nightly backups of my portainer server, but it gives me the following error.

Do you only support http connections?

 ___         _        _                ___          _             
 | _ \___ _ _| |_ __ _(_)_ _  ___ _ _  | _ ) __ _ __| |___  _ _ __ 
 |  _/ _ \ '_|  _/ _` | | ' \/ -_) '_| | _ \/ _` / _| / / || | '_ \
 |_| \___/_|  \__\__,_|_|_||_\___|_|   |___/\__,_\__|_\_\\_,_| .__/
                                                             |_|   
┌──────────────────────────────────────────────────────────────────┐
│   Made with ♥ by SavageSoftware, LLC © 2022    (Version 0.0.7)   │
└──────────────────────────────────────────────────────────────────┘
Initializing operation             : ✔ SCHEDULE
Validating portainer server        : ✖ https://portainer.lan:9443
┌────────────────────────────────────────────┐
│  ✖ Connection to portainer server failed!  │
└────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────┐
│ ✖ -------------------------- ERROR -------------------------- ✖  │
├───────────────┬──────────────────────────────────────────────────┤
│ ERROR MESSAGE │ unable to verify the first certificate           │
└───────────────┴──────────────────────────────────────────────────┘
-------- GOODBYE --------

WizBangCrash avatar Sep 08 '22 21:09 WizBangCrash

I run my portainer backup nightly using a HTTPS (secure) connection. Are you using a self-signed certificate? I'm using a Let's Encrypt certificate so if you are using a self-signed certificate, perhaps that's the difference.

savageautomate avatar Sep 12 '22 15:09 savageautomate

Hi @savageautomate , Thanks for the response. I am using self signed certificates. After a couple of days of no progress in solving the issue I have now managed to work around it by placing the portainer_backup container on the same docker network as the portainer container and then using the legacy HTTP connection.

I've added a copy of my compose file here in case it can help anyone else struggling with the same problem.

Thanks for a great utility :-)

version: '3'
# Checkout the backup software here: https://github.com/SavageSoftware/portainer-backup.git

services:
  portainer-backup:
    container_name: portainer-backup
    image: savagesoftware/portainer-backup:latest
    user: ${UID}:${GID}
    restart: unless-stopped
    command: schedule
    environment:
      TZ: Europe/London
      PORTAINER_BACKUP_URL: "http://portainer:9000"
      PORTAINER_BACKUP_TOKEN: "PORTAINER_ACCESS_TOKEN"
      PORTAINER_BACKUP_PASSWORD: "xxx"
      PORTAINER_BACKUP_OVERWRITE: 1
      PORTAINER_BACKUP_SCHEDULE: "0 0 4 * * *"
      PORTAINER_BACKUP_STACKS: 0
      PORTAINER_BACKUP_DRYRUN: 0
      PORTAINER_BACKUP_CONCISE: 1
      PORTAINER_BACKUP_DIRECTORY: "/backup"
      PORTAINER_BACKUP_FILENAME: "{{DATETIME}}-portainer-backup.tar.gz"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - backup:/backup:rw
    networks:
      - portainer_default

volumes:
  # Mount a CIFS folder on dixnas1.lan for backups
  backup:
    driver: local
    driver_opts:
      type: cifs
      o: username=${BACKUP_USER},password=${BACKUP_PASSWD},rw,uid=${UID},gid=${GID},vers=3.0
      device: "\\\\192.168.1.1\\DockerBackups\\Portainer"

networks:
  portainer_default:
    external: true

WizBangCrash avatar Sep 13 '22 22:09 WizBangCrash

I faced the same issue, my portainer uses a cert signer with my local root CA which is configured in the cert store of the server. I tried to map the local /etc/ssl/certs which contains my local root CA into the portainer-backup docker container, but no success. Seems that the backup software is not using the cert store from Alpine llinux.

palto42 avatar Mar 21 '23 17:03 palto42

Any plans on supporting self signed certificates. Environment variables with rootCA path can be implemented.

ameer1234567890 avatar Nov 05 '23 18:11 ameer1234567890

Thank you, the hint with the network helped me to get this running in my LAN. I first tried to add my local dns (--dns "MYDNSIP" ) which did not help either find my local portainer, although it's using let's encrypt certs.

mzeecedric avatar Feb 08 '24 23:02 mzeecedric

I've found a workaround for this issue. Since its written in nodejs and uses https lib for requests we can just add environment variable NODE_TLS_REJECT_UNAUTHORIZED to ignore certificate.

services:
  portainer-backup:
    environment:
      PORTAINER_BACKUP_URL: "https://portainer:9443"
      NODE_TLS_REJECT_UNAUTHORIZED: 0

Same goes for cli

NODE_TLS_REJECT_UNAUTHORIZED=0 npx portainer-backup info --url "https://portainer:9443" -t "blah"

DmitryNefedov avatar Mar 06 '24 07:03 DmitryNefedov

I've found a workaround for this issue. Since its written in nodejs and uses https lib for requests we can just add environment variable NODE_TLS_REJECT_UNAUTHORIZED to ignore certificate.

services:
  portainer-backup:
    environment:
      PORTAINER_BACKUP_URL: "https://portainer:9443"
      NODE_TLS_REJECT_UNAUTHORIZED: 0

Same goes for cli

NODE_TLS_REJECT_UNAUTHORIZED=0 npx portainer-backup info --url "https://portainer:9443" -t "blah"

yes, that worked!!! thanks a lot

BassHunger avatar Oct 06 '24 02:10 BassHunger